Former GCHQ employee tells government that companies using big data must employ ethics boards

Former GCHQ employee Dr David Macnish has advised UK government that it needs to ensure companies that use big data, like Google or Dunnhumby must employ an ethics board.

By
Margi Murphy
| Sep 17, 2015

Share

TwitterFacebookLinkedIn

Dr David Macnish, former GCHQ employee has advised that the government should extend the data protection act to protect citizens who are increasingly involved in large data mining projects undertaken by corporations and governments, often unknowingly.

If an ethics board was enforced, it would affect many UK companies embarking on big data projects to better understand its customers,as well as tech giants like Google, Facebook, Instagram and Twitter whose business model runs on collecting information about its users.

Macnish, who now works as a professor at Leeds’ University, submitted evidence during a discussion of the ethical challenges associated with big data, namely concerns over the gaining of informed consent, security of the data, and concerns with secondary use. This involves taking existing data sets, collected for one reason, and applying them to an unintended end. An example of this could be chemical research data becoming chemical weaponry data, for example.

The ongoing inquiry by the Science and Technology committee is examining whether the government is doing enough to ensure that UK entrepreneurs can benefit from the data revolution, while looking at issues around data protection and privacy.

Macnish suggested, in evidence published this week, that the “data protection act be extended to include not just the collection of data on citizens but also the processing of that data such that citizens can at any time request and be told clearly the ends to which their data is being put.”

He added that ethics reviews boards should be placed to watch over all big data projects and sit in corporations, rather than the government. However, they should be monitored by the Information Commissioner’s Office.

Further, prior to collection, consent must be required by law, for voluntary data by entrepreneurs, governments or corporates. Training and certification in security be at least made available and at best mandated for those with access to large data sets, and certification should be available for all employees working with data, he added.

While Macnish’s suggestions mean the government could lose out on existing commercial data projects if they put his reccommendations into practice - like the dogged care.data project - he claimed it was worth getting data regulation "right" to gain public trust.

He said: “The Government should place a ban on using data without explicit, informed, voluntary prior consent.

"Failing an outright ban, the government should take a lead on this approach through its dealings with the public through the NHS, DWP, etc.

“There will be losses associated with the approach that I am advocating. The UK will not be able to use existing data bases as readily as they might otherwise. Other states might edge ahead of the UK in terms of research on the basis of using data for which consent has not been sought.

Macnish nodded to the Ashley Madison hacking scandal in his evidence, as well as the Snowden GCHQ and NSA hacks as reference points for public feeling around cyber security, hacking and data collection. But he added that technical security should not be the only priority, but social engineering too.

“The actions of Snowden, Hanson and others stress the fact that a technically secure system is only as secure as the people who use it,” he said.